What is the Computer Fraud and Abuse Act? Charges and Penalties
The Computer Fraud and Abuse Act (CFAA) is a federal law that was passed by Congress in 1986 to address growing concerns about computer hacking. The law prohibits accessing a computer without authorization or exceeding authorized access. Violations of the CFAA can lead to both criminal and civil penalties.
Background of the CFAA
Prior to the CFAA, computer crimes were prosecuted under mail and wire fraud laws. But these laws were often insufficient for addressing new types of computer hacking and intrusion.
The CFAA was originally intended to protect government and financial institution computers. But amendments over the years have expanded the law’s scope to cover any computer connected to the internet.
Some key events in the history and evolution of the CFAA:
- 1986 – CFAA is enacted as an amendment to the Comprehensive Crime Control Act of 1984. Originally protects government and financial institution computers.
- 1994 – Amended to allow civil lawsuits under the CFAA. Expanded to protect any computer used in interstate commerce.
- 1996 – Expanded definition of protected computer to include any computer used in interstate or foreign commerce.
- 2001 – Patriot Act expanded scope to include computers outside U.S. affecting commerce or communication within the U.S.
- 2008 – Definition expanded again to include any computer used in or affecting interstate or foreign commerce.
The CFAA allows for both criminal and civil penalties.
Punishments under the CFAA can include:
- Fines up to $250,000 for individuals, $500,000 for organizations.
- Imprisonment up to 10 years for first offenses, 20 years for repeat offenses.
- Forfeiture of property used to commit the crime.
- Restitution to victims.
Harsher punishments apply for violations involving national security information or damage affecting 10 or more protected computers.
The CFAA allows victims to sue offenders for damages like:
- Loss or damage to systems and data.
- Cost of responding to offense, conducting damage assessment, restoring data or systems.
- Loss of revenue due to interruption of service.
- Any other loss reasonably incurred as a result of the violation.
Minimum damages are $5,000 per violation.
The Computer Fraud and Abuse Act is a powerful tool for prosecutors to combat cybercrime. But the law’s vague wording, harsh punishments, and broad scope have raised concerns among legal experts, technologists and internet freedom advocates. Ongoing legislative efforts seek to reform the CFAA to better balance security and innovation in the digital age.